vuls: init at 0.27.0
[NixPkgs.git] / nixos / tests / cfssl.nix
blobe673df3131f8e7b0fb8b2f4d34023cc46556c309
1 import ./make-test-python.nix ({ pkgs, ...} : {
2   name = "cfssl";
4   nodes.machine = { config, lib, pkgs, ... }:
5   {
6     networking.firewall.allowedTCPPorts = [ config.services.cfssl.port ];
8     services.cfssl.enable = true;
9     systemd.services.cfssl.after = [ "cfssl-init.service" ];
11     systemd.services.cfssl-init = {
12       description = "Initialize the cfssl CA";
13       wantedBy    = [ "multi-user.target" ];
14       serviceConfig = {
15         User             = "cfssl";
16         Type             = "oneshot";
17         WorkingDirectory = config.services.cfssl.dataDir;
18       };
19       script = with pkgs; ''
20         ${cfssl}/bin/cfssl genkey -initca ${pkgs.writeText "ca.json" (builtins.toJSON {
21           hosts = [ "ca.example.com" ];
22           key = {
23             algo = "rsa"; size = 4096; };
24             names = [
25               {
26                 C = "US";
27                 L = "San Francisco";
28                 O = "Internet Widgets, LLC";
29                 OU = "Certificate Authority";
30                 ST = "California";
31               }
32             ];
33         })} | ${cfssl}/bin/cfssljson -bare ca
34       '';
35     };
36   };
38   testScript =
39   let
40     cfsslrequest = with pkgs; writeScript "cfsslrequest" ''
41       curl -f -X POST -H "Content-Type: application/json" -d @${csr} \
42         http://localhost:8888/api/v1/cfssl/newkey | ${cfssl}/bin/cfssljson /tmp/certificate
43     '';
44     csr = pkgs.writeText "csr.json" (builtins.toJSON {
45       CN = "www.example.com";
46       hosts = [ "example.com" "www.example.com" ];
47       key = {
48         algo = "rsa";
49         size = 2048;
50       };
51       names = [
52         {
53           C = "US";
54           L = "San Francisco";
55           O = "Example Company, LLC";
56           OU = "Operations";
57           ST = "California";
58         }
59       ];
60     });
61   in
62     ''
63       machine.wait_for_unit("cfssl.service")
64       machine.wait_until_succeeds("${cfsslrequest}")
65       machine.succeed("ls /tmp/certificate-key.pem")
66     '';